1. Field of the Invention
The present invention generally provides an inherited role-based access control system, method and program product.
2. Related Art
As the use of computer networks becomes more pervasive, organizations are increasingly seeking better ways to implement access control for their computer-based resources (e.g., servers, storage spaces, etc.). Access control can not only help prevent those outside of the organization from accessing the resources, but can also be used to limit access by internal personnel.
Traditionally, access control has been provided through the use of access control lists (ACLs), whereby users are associated with specific permissions to access or interact with various resources. To this extent, an ACL is typically viewed as a person-by-person or group-by-group enumeration of permissions. Unfortunately, whenever a permission within an ACL changes, the ACL must be recreated with the changed permission. As such, configuring or changing an ACL is not an easy process. This is especially the case where finely grained control over the permission levels is desired, such as when resources are arranged as a hierarchical tree of nodes. Specifically, when resources are arranged hierarchically, it could be desired for a person or group to have a certain set of permissions for one set of nodes, while having an entirely different set of permissions for another set of nodes. An ACL-based approach generally requires the permissions for each user or group be specified for each node within the ACL. This can make creating and/or maintaining the ACL an extremely complex task.
These problems are especially apparent if permissions are desired to be inherited through a chain of descendants in the hierarchy. For example, it could be the case that permissions assigned to one node are desired to be inherited by hierarchical descendants of that node. An ACL-based approach would require the permissions to be specifically enumerated for each node. Although various solutions have been suggested for attempting to provide inherited permissions, no existing solution provides an easy way to provide finely grained control over the inheritance concept. For example, if node “X” has two child nodes “Y” and “Z,” it could be desired for some combinations of permissions (so-called role types) assigned to node “X” to be inherited by node “Y” but not node “Z” and for some other combinations to be inherited by both nodes “Y” and “Z.” The existing solutions either require the permissions to be specifically enumerated, or a complex set of rules to be developed. In any event, no existing solution provides an easy way to express finely grained control over a hierarchy of resources.
In view of the foregoing, there exists a need for an inherited role-based access control system, method and program product. Specifically, a need exists for a system in which particular generic actions can be associated with certain role types. A further need exists for a system that allows role instances of specific role types to be bound to nodes of a hierarchical tree that correspond to computer-based resources. Still yet, a need exists for the role instances to be inherited by hierarchical descendants of the nodes to which they have been bound, unless a role-based block has been established for the corresponding type of role.